ProAct Series: Contact Tracing & Customer Data

14 May 2020 by Arran Hunt arranh@shlaw.co.nz

ProAct: Privacy, Contact Tracing, and the Handling of Customer Data

With today’s move to Alert Level 2, new procedures must be put in place to help the country to continue to flatten the curve. The one that many businesses will now be introducing, and which all consumers will need to become accustomed to, is contact tracing. This is where a business keeps a record of all the people who have been on its premises. If another infection was to be found, this information will allow the Ministry of Health to track people who may have had contact with the affected person.

Specifically, the business will be recording, and/or asking you to provide, your name, contact details, and when you were there. As an individual, this is classed as ‘personal information’, and it is the information that is covered under the Privacy Act 1993 (“the Act”).

Issues may arise if the business’s use of this information is called into question. Ideally, there will be some sign or printed notice confirming what the information will be used for. While it may not be strictly required (which we will come to below), we recommend that our clients are upfront, and clarify the purpose for which the information is being collected. For personal information given for contact tracing, we would recommend that it is recorded just for that purpose, to be provided to the Ministry of Health IF an infected person was believed to be on the premises. This is the public perception of why the information is being provided and, unless clearly stated otherwise, is the only use it should have. Under the Act, personal information provided for a purpose can only be used for the purpose stated with, of course, some particular exceptions provided for in the Act.

While we encourage clients to be clear and open about what personal information is being used for, with contact tracing there isn’t a need to give the reason, and this is due to one of those exceptions. Information Privacy Principle 10 states that information can be used for another purpose if the information holder believes:

(1)(d) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat (as defined in section 2(1)) to—(i) public health or public safety; or(ii) the life or health of the individual concerned or another individual

So, while the information will have been provided for the purpose of contact tracing, there is also an exception in the Act which allows it to be used for another purpose. This would also cover information gained through other applications, such as food ordering applications which will have recorded the details of who ordered the food to be collected. The Privacy Commissioner has confirmed this use in relation to the current pandemic.

Businesses should still be cautious about using personal information, gathered by contact tracing, for any other purpose. If customers aren’t provided with details about what the personal information will be used for, then it should be limited to just contact tracing (and even then with caution, and only given to a government-directed body who need it for the above reason).

If you do provide wording about what it will be used for, we would recommend against using such information for advertising to the customer unless this made very clear. If you did want to use that information for future marketing then we would recommend having a tick box allowing the customer to opt-in for such marketing. With the stress people are currently under, we believe that a company would likely attract adverse media coverage if it was found that the required contact tracing information was being used for marketing through the use of a small, concealed clause which the customer may be unable to read while in a rush. The damage caused would likely outweigh any benefit gained. If you did want to keep in contact with customers then we would recommend that including a tick box, asking them to confirm if they want to be updated about changes or specials, would be a safer approach.

Of course other non-advertising uses of the personal information will also certainly be unlawful. One recent example is a worker who allegedly used the personal information provided to contact a customer he was attracted to. This is clearly beyond the purpose for which that contact tracing information was sought. For that purpose, businesses need to ensure that their staff are aware of the private nature of this information, and that it should be kept safe.

All of the provisions of the Act continue to apply to personal information collected through contact tracing, including a person’s right to access their information or correct that information. However, such requests may, in certain situations, be refused under s29(2) of the Act as the information may not be readily available, (for example, where there are thousands of handwritten pages and no way to determine which page the person appeared on).

This covers just a few small items of note on the Privacy Act 1993 as we move into a contact traced world. Of course there are many other things to consider, including the upcoming changes to the Act, and these will be covered in future posts. In the meantime, feel free to contact us with your questions, if you need help with a privacy policy or a request under the Act. Also, remember to sign up here to be notified of future posts in the ProAct series.